Hospital CISOs Offer Strategy TipsBuild a team, avoid "firefighting" approach
At many hospitals, "The risk management office and the security office don't talk well to each other and that's a big issue to address," says Bryan Cline, Ph.D., director of information security at Catholic Health East, a 34-hospital system based in Newtown Square, Pa.
Catholic Health East has a security leadership team that includes general counsel, public relations, privacy and compliance staffers, the CIO as well as Cline. Such a committee is important, the security director says, because all staff throughout the hospital play a role in keeping information secure.
And a leadership team is essential, he adds, "because security is one of the last things people want to talk about."
Unless hospitals create such a cross-functional security team, "security is always going to be viewed just as an IT issue," Cline contends.
He made his comments Feb. 12 at an online media roundtable on healthcare data security sponsored by Verizon, a telecommunications company, and Health Information Trust Alliance. HITRUST offers the Common Security Framework that guides organizations on security compliance issues.
A business perspective
Hospitals must address the issue of information security from a business perspective, not just a technology perspective, Cline stresses. "And if you have a culture that's resistant to processes and standards that provide accountability, you won't succeed."
Too many hospitals tackle information security in a "firefighting mode," reacting to the latest crisis, Cline laments. Instead, they should develop "a broad-based information security framework."
"The fundamentals are not being addressed in most institutions," the security director says. He calls on hospitals to systematically determine the protection requirements for each class of data and then "determine the business requirements for role-based access control."
Most hospitals also should develop a unit of full-time security experts within their IT department rather than adding security to the long list of other duties that IT staffers who support operations must tackle, Cline contends. Otherwise, multi-tasking staff members will give only minimal attention to security because "they're working on operational issues first."
Protecting mobile devices
In setting their security priorities for this year, all hospitals should view the protection of data stored on mobile devices as important, says roundtable participant Michael Frederick, chief information security officer at Baylor Healthcare System in Dallas.
Baylor encrypts laptops, thumb drives and all other portable devices, Frederick says. Plus it takes the extra step of encrypting its hard drives.
Another priority for Baylor this year, the CISO says, is "making sure that we have systems that produce good audit trails" so that the organization can produce reports that demonstrate compliance with federal and state security requirements.
And as more information is digitized, Baylor is devoting more resources to disaster recovery and business continuity, Frederick adds. That's because making sure all systems are available "is becoming a patient safety issue."
In taking action to prevent data breaches, healthcare organizations must emphasize staff education, says Graham Ward, HITRUST's director of education and training.
"Make sure users are aware that a lot of breaches are inadvertent and come through carelessness," he stresses. For example, too many organizations use default passwords, and too many staffers leave laptops behind in rooms, he says.
Hospitals and others can save a lot of money if they develop formal procedures for responding to a data breach, says Khalid Kark, vice president and principal analyst with Forrester Research, who moderated the roundtable.
Plus, they must work with the business associates with whom they share data to ensure those firms are taking reasonable security precautions, he adds. "That's a huge challenge that not a lot of organizations have started to address yet," Kark says.